make auditd list autogenerate

This commit is contained in:
Louis Abel 2023-08-14 00:34:58 -07:00
parent 6bac02cc45
commit 6d0a216712
Signed by: label
GPG key ID: 3331F061D1D9990E
3 changed files with 57 additions and 53 deletions

View file

@ -21,6 +21,14 @@
tags:
- harden
- name: Collect specific executables for dynamic list
ansible.builtin.command: "find /usr/bin /usr/sbin /usr/lib /usr/libexec -xdev -perm /6000 -type f"
register: exec_find_output
- name: Set variable for above collection
ansible.builtin.set_fact:
audit_suid_list: "{{ exec_find_output.stdout_lines }}"
- name: Ensure collection audit rules are available
ansible.builtin.template:
src: "etc/audit/rules.d/collection.rules.j2"

View file

@ -1,10 +1,8 @@
# Ignore CWD logs
-a exclude,always -F msgtype=CWD
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
## Records when events occur that modify user and group passwords and ID's
@ -13,8 +11,8 @@
{% endfor %}
## Records changes to network environment files or system calls
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
@ -40,16 +38,16 @@
## Monitor changes for files for UID's above {{ audit_auid }}
# You can take this out if you are on a non-PCI system
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S ,creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S ,creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S ,creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
## Monitors mounting events for users
# You can probably take these out

View file

@ -122,48 +122,46 @@ audit_identity_list:
- /etc/shadow
- /etc/security/opasswd
audit_logins:
- /var/log/faillog
- /var/log/faillock
- /var/log/lastlog
- /var/log/tallylog
- /var/log/faillock/
- /var/log/wtmp
- /var/log/btmp
audit_session:
- /var/run/utmp
audit_suid_list:
- /usr/libexec/sssd/proxy_child
- /usr/libexec/sssd/ldap_child
- /usr/libexec/sssd/krb5_child
- /usr/libexec/sssd/selinux_child
- /usr/libexec/dbus-1/dbus-daemon-launch-helper
- /usr/libexec/utempter/utempter
- /usr/libexec/openssh/ssh-keysign
- /usr/lib/polkit-1/polkit-agent-helper-1
- /usr/sbin/usernetctl
- /usr/sbin/postqueue
- /usr/sbin/unix_chkpwd
- /usr/sbin/postdrop
- /usr/sbin/pam_timestamp_check
- /usr/sbin/netreport
- /usr/sbin/mount.nfs
- /usr/bin/su
- /usr/bin/ksu
- /usr/bin/write
- /usr/bin/newgrp
- /usr/bin/chage
- /usr/bin/mount
- /usr/bin/ssh-agent
- /usr/bin/sudo
- /usr/bin/passwd
- /usr/bin/gpasswd
- /usr/bin/at
- /usr/bin/wall
- /usr/bin/chsh
- /usr/bin/locate
- /usr/bin/chfn
- /usr/bin/umount
- /usr/bin/crontab
- /usr/bin/pkexec
# audit_suid_list:
# - /usr/libexec/sssd/proxy_child
# - /usr/libexec/sssd/ldap_child
# - /usr/libexec/sssd/krb5_child
# - /usr/libexec/sssd/selinux_child
# - /usr/libexec/dbus-1/dbus-daemon-launch-helper
# - /usr/libexec/utempter/utempter
# - /usr/libexec/openssh/ssh-keysign
# - /usr/lib/polkit-1/polkit-agent-helper-1
# - /usr/sbin/usernetctl
# - /usr/sbin/postqueue
# - /usr/sbin/unix_chkpwd
# - /usr/sbin/postdrop
# - /usr/sbin/pam_timestamp_check
# - /usr/sbin/netreport
# - /usr/sbin/mount.nfs
# - /usr/bin/su
# - /usr/bin/ksu
# - /usr/bin/write
# - /usr/bin/newgrp
# - /usr/bin/chage
# - /usr/bin/mount
# - /usr/bin/ssh-agent
# - /usr/bin/sudo
# - /usr/bin/passwd
# - /usr/bin/gpasswd
# - /usr/bin/at
# - /usr/bin/wall
# - /usr/bin/chsh
# - /usr/bin/locate
# - /usr/bin/chfn
# - /usr/bin/umount
# - /usr/bin/crontab
# - /usr/bin/pkexec
disable_svc:
- cups